Magnolia

activation: security hole if you activate a new item

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 3.5.3
  • Fix Version/s: 3.5.4
  • Component/s: activation
  • Labels:
  • Description:

    The url /ActivationHandler is not protected and if you activate a new item the security checks are bypassed (import)

    As from 3.5.4, the default activation URL is .magnolia/activation - The old url is supported through a VirtualURI

Issue Links

relation
 

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Philipp Bracher [old account - now Philipp Bärfuss] added a comment - 24/Jan/08 2:54 PM

On 3.5 instances before 3.5.4 make sure that the url /ActivationHandler is protected (deny access to the anonymous role)

Show
Philipp Bracher [old account - now Philipp Bärfuss] added a comment - 24/Jan/08 2:54 PM On 3.5 instances before 3.5.4 make sure that the url /ActivationHandler is protected (deny access to the anonymous role)
Hide
Permalink
Grégory Joseph added a comment - 24/Jan/08 6:19 PM

please link related issues when appropriate - please use the multiple jira IDs in svn commit messages when appropriate

Show
Grégory Joseph added a comment - 24/Jan/08 6:19 PM please link related issues when appropriate - please use the multiple jira IDs in svn commit messages when appropriate

People

Dates

  • Created:
    24/Jan/08 2:51 PM
    Updated:
    17/Mar/09 7:49 PM
    Resolved:
    24/Jan/08 2:52 PM
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Magnolia International Ltd.. Try JIRA - bug tracking software for your team.